[69858] in North American Network Operators' Group
RE: Winstar says there is no TCP/BGP vulnerability
daemon@ATHENA.MIT.EDU (Michel Py)
Wed Apr 21 00:51:41 2004
Date: Tue, 20 Apr 2004 21:51:06 -0700
From: "Michel Py" <michel@arneill-py.sacramento.ca.us>
To: "Patrick W.Gilmore" <patrick@ianai.net>, <nanog@merit.edu>,
"Christopher L. Morrow" <christopher.morrow@mci.com>
Errors-To: owner-nanog-outgoing@merit.edu
Patrick / Christopher,
>> Michel Py wrote:
>> Please forgive me if I'm naive and/or ask a stupid question,
>> but is there any reason (besides your platform not supporting
>> it) _not_ to MD5 your BGP sessions? Geez, on my _home_ router
>> all my v4 BGP sessions are MD5ed (v6 not there yet).
> Patrick W.Gilmore wrote:
> There is serious operational overhead in maintaining sync'ed
> passwords between separate organizations. IOW: Eventually
> someone will screw up and lose the password.
> [large snip]
Thanks for the insight. I have an even dumber question:
Context: set aside the MD5, the way I configure BGP sessions/traffic
from/to peers is as follows:
a) A generic (configured in the peer-group) route-map to filter the
routes I announce to the peer to be only my blocks.
b) A specific-to-the-peer route-map to filter the routes I receive from
the peer to the peer's blocks, as agreed in the beer drinking meeting
^H^H^H^H BLPA. This route map is not entirely specific, as I also put in
stuff such as deny RFC1918 routes ;-)
c) A generic access-list filtering ingress traffic from the peer to me
to allow only traffic which DA is mine. (cracks me up if the peer sets a
default to me :-)
d) A generic access-list filtering egress traffic from me to the peer to
allow only traffic which SA is mine.
Now, the dumb question:
Given:
1) The context above especially item b
2) Christopher Morrow's comments below
Explain me what having or not having the MD5 password changes. Either
you're small and/or stupid and do it manually, or you have an automated
system that does it for you.
> Christopher L. Morrow wrote:
> there is the issue of changing the keys during operations
> without impacting the network, eh? Having to bounce every
> bgp session in your network can be pretty darned painful...
> if you change the key(s) of course.
See above: Changing the route-map is equally painful.
> If you don't you might as well not have keys, since adding
> the 3 lines of C code required to Paul Watsons' program
> making it do the hashing certainly won't be a big deal, eh?
I'm weak with C. Besides adding "neighbor x.x.x.x password 7 " below
"enable-password 7 " for each peer (which requires recompiling, how
annoying) would you care sharing the 3 said lines for the code below :-)
Michel.
#include <stdio.h>
#include <ctype.h>
char xlat[] =3D {
0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44
};
char pw_str1[] =3D "password 7 ";
char pw_str2[] =3D "enable-password 7 ";
char *pname;
cdecrypt(enc_pw, dec_pw)
char *enc_pw;
char *dec_pw;
{
unsigned int seed, i, val =3D 0;
=20
if(strlen(enc_pw) & 1)
return(-1);
seed =3D (enc_pw[0] - '0') * 10 + enc_pw[1] - '0';
if (seed > 15 || !isdigit(enc_pw[0]) || !isdigit(enc_pw[1]))
return(-1);
for (i =3D 2 ; i <=3D strlen(enc_pw); i++) {
if(i !=3D2 && !(i & 1)) {
dec_pw[i / 2 - 2] =3D val ^ xlat[seed++];
val =3D 0;
}
=20
val *=3D 16;
=20
if(isdigit(enc_pw[i] =3D toupper(enc_pw[i]))) {
val +=3D enc_pw[i] - '0';
continue;
}
if(enc_pw[i] >=3D 'A' && enc_pw[i] <=3D 'F') {
val +=3D enc_pw[i] - 'A' + 10;
continue;
}
=20
if(strlen(enc_pw) !=3D i)
return(-1);
} =20
=20
dec_pw[++i / 2] =3D 0;
return(0);
}
usage()
{
fprintf(stdout, "Usage: %s -p <encrypted password>\n", pname);
fprintf(stdout, " %s <router config file> <output
file>\n", pname);
return(0);
}
main(argc,argv)
int argc;
char **argv;
{
FILE *in =3D stdin, *out =3D stdout;
char line[257];
char passwd[65];
unsigned int i, pw_pos;
pname =3D argv[0];
if(argc > 1)
{
if(argc > 3) {
usage();
exit(1);
}
=20
if(argv[1][0] =3D=3D '-')
{
switch(argv[1][1]) {
case 'h':
usage();
break;
=20
case 'p':
if(cdecrypt(argv[2], passwd)) {
fprintf(stderr, "Error.\n");
exit(1);
}
fprintf(stdout, "password: %s\n",
passwd);
break;
default:
fprintf(stderr, "%s: unknow option.",
pname);
}
=20
return(0);
}
if((in =3D fopen(argv[1], "rt")) =3D=3D NULL)
exit(1);
if(argc > 2)
if((out =3D fopen(argv[2], "wt")) =3D=3D NULL)
exit(1);
}
while(1) {
for(i =3D 0; i < 256; i++) {
if((line[i] =3D fgetc(in)) =3D=3D EOF) {
if(i)
break;
fclose(in);
fclose(out);
return(0);
}
if(line[i] =3D=3D '\r')
i--;
if(line[i] =3D=3D '\n')
break;
}
pw_pos =3D 0;
line[i] =3D 0;
=20
if(!strncmp(line, pw_str1, strlen(pw_str1)))
pw_pos =3D strlen(pw_str1);
=20
if(!strncmp(line, pw_str2, strlen(pw_str2)))
pw_pos =3D strlen(pw_str2);
if(!pw_pos) {
fprintf(stdout, "%s\n", line);
continue;
}
if(cdecrypt(&line[pw_pos], passwd)) {
fprintf(stderr, "Error.\n");
exit(1);
}
else {
if(pw_pos =3D=3D strlen(pw_str1))
fprintf(out, "%s", pw_str1);
else
fprintf(out, "%s", pw_str2);
=20
fprintf(out, "%s\n", passwd);
}
}
}
